There's a lot written and spoken about GDPR over the last few months, and I guess it will continue in the future. More and more new interpretations are on the net, the panic is everywhere since the Regulation is on. Let not forget, however, that there is currently a Personal Data Protection Act, which primarily regulates the same relationships in an offline environment as the Regulation. As far as the online environment is concerned, in most cases, the important issues for me related to collecting data on our users' behaviour are avoided. To a large extent, these issues will not be long-lasting, since they are also part of the ePrivacy Regulation, which will be under discussion for a long time. However, after May 25, 2018, we will continue to use Google Analytics on our sites and collect and generate reports. How GDPR and Google Analytics will work together?
What is Google Analytics and how it is work?
Search the web, and you'll find many great articles showing how useful Google Analytics can be for your business. In Bulgaria, almost all sites have Google Analytics installed as a web analytics tool.
The Absolute Beginner’s Guide to Google Analytics – https://moz.com/blog/absolute-beginners-guide-to-google-analytics
First steps with Google Analytics - https://support.google.com/analytics/answer/1008015?hl=bg
9 Awesome Things You Can Do With Google Analytics 5 – https://blog.kissmetrics.com/awesome-google-analytics/
How GDPR will affect usage of Google Analytics?
In short, this is related to the fact that when you use Google Analytics, you and Google share personal data - these are data that relate to a particular data subject. Under the current local law, some of these data are not protected, but GDPR changes this.
Regarding the Regulation, it is essential to clarify the following: You are a data controller, and Google is a data processor.
The Data Protection Regulation entered into force on 25 May 2018 and aimed greater protection to the personal data of subjects (individuals) in the EU, based on the way technology is advanced, and we all use it. Under the new and broader definitions of GDPR, personal data is any information that can identify a person with "all means that are reasonably likely to be used", including considering how a person could be identified, if you combine unrelated sets of data you hold. So it still includes information, such as someone's name and address, but will now include online identifiers, including IP addresses, cookie identifiers, and aliased data. A pseudonymization as defined by the Commission for Personal Data Protection (which is Bulgarian institution) is a privacy technique in which personal data is processed in a way that prevents the individual from being identified without the use of additional information to be kept separate from those data, under the protection of technical and organisational measures.
you have an online store that operates in the EU and therefore process data of EU citizens either
monitor the behavior of users on your website
then GDPR apply to you.
It means you have to comply with the GDPR requirements, but you also have to be able to provide proof that you are doing so..
So what's in common between GDPR and Google Analytics?
The purpose of using Google Analytics is to allow Google to share data you have collected so that it can ultimately generate the reports you need. Under current data protection legislation, at least some of the data used as part of Google Analytics is probably not personal data, but the broader definitions of GDPR, as mentioned, mean that it will be.
The issue is also complicated because you will need to look at both aspects:
you allow Google to access users' data
use Google data in the reports produced by Google Analytics.
For example, you could collect and allow Google access to:
email addresses if they are part of the login process on your website or
usernames in the URLs of the pages you collect because the username is part of the URL (for example, https://www.site.com/user/johnsmith)
From Google data, you can have the ability to identify an individual by "any means that are reasonably likely to be used", considering how a person can be identified, for example by including an IP address.
Do not forget the client-specific pages
Just because the content is only available to users who have logged in to your website (for example, as a member of the site) does not mean that the collected personal data is exempt from the GDPR requirements.
It would help if you had a legal basis for processing (using, collecting, etc.) data, and you and your business can be one of many that rely on the individual's consent. For example, it seems quite easy to get someone to agree that you can use their data for your purposes. Unfortunately, with GDPR, the question of consent is much more complicated. The Regulation clearly states that the data you collect should be as little as possible and have reason to collect them. For example, if you are an online shop to buy a product and deliver it to me, you need names, phone and address, possibly email, if registration is required and there is no quick order on your site. What data do we get from Analytics reports?
Does Google meet GDPR requirements?
Google is committed to complying with GDPR and, for example, as Google tells us Internet users may have the option of "installing the Google Analytics exclusion browser add-on". The problem is that this does not mean that your responsibility is somehow transferred to Google or someone else on this matter.
If you look closely at Google's own terms and conditions (which you accept when installing Google Analytics), it is clearly stated that YOU are "solely responsible" when using Google Analytics and you are responsible for
ensuring that there will be no "personal identifying information" (i.e. something that can identify a person) between you and Google, and
So, using data that could identify a person may mean a violation of the GDPR and your consent to Google Analytics. It means that not only the Commission for Personal Data Protection (the body that will monitor compliance with GDPR in Bulgaria) could fine you, but you are also likely to be unable to use Google Analytics anymore because Google will terminate your agreement.
What to do if you want to continue using Google Analytics?
(1) Get to know the data you store
Many businesses store data, but some of these data are never used, so frequent data cleaning is always a good idea, especially in the context of GDPR. Remember, you only need to store data for as long as it is reasonable.
Be aware of what data you hold and how you will process (use, store, etc.).
Then look at what information you need to collect and use, and how long you need them.
Do you have a legal basis for processing? If not, there is time to fix things. For example, if you rely on someone's consent to use their data, please make sure you agree to GDPR compliance. Otherwise, you may not legally use this data after May 25, 2018.
Once you've done this, make sure you permanently delete everything you do not need or cannot justify why you store it.
It may seem like it will take time, but in the end, you will be ready and compatible with the GDPR, especially if you repeat it regularly.
Google requires you to have a clear and GDPR-compliant privacy statement. Do not be the one who sits there at 23:00 on May 24, trying to write or find ones.
Considering that you are also responsible for the compliance of your organisation, consider implementing a complete data protection policy (defining how your business will perform its data protection obligations) with appropriate training - in-house or proper for your company so that everyone to be aware of the organisation's responsibilities and what they need to meet. In my opinion, it's time to determine the official employee who will be responsible for processing the data, collected through Google.
(3) Clearly explain how you will use Google Analytics data
Make sure you have a definite limit, so you do not share inadvertently any "personally identifiable information".
If someone else has access to your Google Analytics accounts (for example, if an agency or a freelancer helps you analyse your website), be clear about the ownership and responsibility of your account, and control who has access; clarify what they can (and can not) do. Remove all permissions unless strictly necessary. For example, You have worked with a freelancer, and you are now working with an agency. The freelancer's access has to be stopped unless you continue to work with them. Be careful with whom you are providing a Google Analytics email and password.
If you do not need to process personal data in Google Analytics, you can anonymise IP addresses. For more information on how to do this, read on: https://support.google.com/analytics/answer/2763052?hl=en#
(4) Compliance with data transfer
Google is a US company, and although there are some servers positioned in the European Economic Area, there is still a chance of some data transfer outside of it. Because Google will be your data processor, it means you have to check if Google is GDPR-compliant for transferring data outside the EEC. Google is currently relying on EU and US privacy protection, but it is still a dynamic environment, and things are changing. Since it is your responsibility, have a simple process that shows that you regularly check that Google adheres to GDPR so you can prove that you are following your obligations.
Last week /23.03.2018/ I received an official email. Google has announced their new user consent policy, which will take effect on 25.05.2018 and are in compliance with the GDPR. You should be aware if you have not yet accepted the conditions that you must visit your Google Analytics account to do so.
(5) Remember the rights of data subjects
Finally, according to GDPR, data subjects will have much more control over their data. If you want to continue using analytics tools and are concerned that some personal information (such as IPs) may be used, the most reasonable way is to make sure that users on your website
know that you are using Google Analytics and understand how it works and how their data are used;
to give their explicit consent their data to be proceed by Google Analytics;
may change their minds about consent and give up easily and at any time
According to the Interpretation of the Commission for Personal Data Protection and concerning GDPR:
"Consent is one of the alternative grounds for lawful processing of personal data. If the controller decides to process the data on this basis, it should be able to demonstrate that the consent is:
· Freely expressed - not under pressure or threat of adverse effects (e.g. higher cost of service);
· Specifically - separate agreement for each specific purpose and, where relevant, for a particular category of personal data;
· Informed - given by complete, accurate and easily understandable information;
· Unambiguously - not inferred or implied by other statements or actions of the individual;
· Given with actual effect: by explicit statement or clear confirmation action, incl. online. The silence of the person or pre-checked boxes for consent cannot be accepted as a valid consent. "
You can read more from the Practical Issues of Personal Data Protection on the Commission for Personal Data Protection website https://www.cpdp.bg/?p=element&aid=1115
Useful links with GDPR for business:
EU Guidelines for GDPR Implementation: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
Rules for companies and organizations: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
What is a breach of data security and what should be done in the event of a data security breach? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_bg
Proposal for a e-Privacy Regulation https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation
Guide to the General Data Protection Regulation (GDPR) published by ICO. / the body responsible for the protection of personal data in the EU/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
Data Protection - Better Rules for Small Business / Infographics / https://ec.europa.eu/justice/smedataprotect/index_en.htm